Be aware of an attack we see trending in community banks.
What Have We Seen?
Three separate client banks in three different states within the span of one week have reported an attack targeting the bank’s internet-based email clients, normally Outlook Web Access (OWA). In these incidents, the intruder gains access to a bank officer’s email and sends a new email with wire transfer instructions, via that officer’s email account, to a bank employee authorized to send wire transfers.
What Systems Are Affected?
This applies to both clients with in-house Microsoft Exchange Servers and hosted Microsoft Exchange Servers with Office 365 or other hosting providers. Please note that this attack could be performed against other email systems as well, provided they offer some method of checking email from the internet.
What is the Method of Attack?
Attacks seen thus far have started with a phishing email to one or more bank employees. The phishing emails have included a PDF attachment. The PDF files have not contained any type of malware so this allows the attachments to bypass anti-malware filters and avoid triggering intrusion prevention systems (IPSs) and other tripwires.
Instead, the contents of the PDF direct the user to click a hyperlink that leads to a webpage that collects login credentials. In some cases, the PDF and webpage have been made to look like an Outlook Web Access (OWA) login page, tricking the user into entering his/her login credentials.
In the incidents where the attacker gained access, the user’s valid login credentials were used, allowing full access to that user’s email.
What is the Purpose of the Attack?
After obtaining the employee’s login credentials, the attacker then attempts to access the employee’s email via the internet-based email portal (e.g., OWA).
After logging in to the employee’s email, the attacker typically looks for passwords stored to other systems and searches emails related to wire transfer requests.
In at least two cases, the attackers then used their privileged access of appearing to be a bank employee to send legitimate-looking wire transfer requests, internally, to authorized bank employees or departments that typically process wires.
What Should You Do to Mitigate this Risk?
We recommend the following possible solutions to help protect against this type of attack:
1. Remind employees to be diligent in identifying phishing emails, especially those that ask for any type of login credentials or other sensitive information. As we always say, anyone can be tricked, so also remind employees to report any suspicious activity even if they believe they might have already fallen for such a phishing email.
2. Disallow external access to web-based email (e.g., OWA) for all employees who do not require such access or have other methods of receiving email.
3. Consider implementing multi-factor authentication for those employees who require external access to web-based email.
4. Alert all bank employees who process wire transfers to be aware of this attack method and to be cautious regarding wire requests received via email from other bank employees. Consider callback verification for wires of a certain threshold amount, even if requested internally from bank employees. Such a control could mitigate the risk of this attack being successful and provide a tripwire to alert management if an employee’s email has been compromised.
5. Activate your Incident Response Plan should you detect such activity.
6. Be prepared to activate your Customer Response Program should sensitive customer information be compromised.
7. Continue to test your Managed Security Services Provider’s (MSSP’s) 24/7 coverage of your network to determine (if the attack spreads past external email systems to the Bank’s internal network) if malicious traffic emanating from inside the Bank’s network would be detected and the intrusion prevented, or if the intruder would roam the Bank’s network undetected.
What is the Recommended Long-Term Cybersecurity Strategy for Banks?
If your bank is one of the few that still does not have adequate Cybersecurity Assessment and IT Audit coverage, a qualified and reputable firm should be engaged to test your systems and provide a thorough and comprehensive report of the bank’s cybersecurity posture. A simple vulnerability scan or cursory review will not suffice.
Cybersecurity preparedness requires a multi-layered, well-planned, sophisticated approach. We also recommend that your bank undergo a true Cybersecurity Risk Assessment that considers a multitude of threats and how your bank is mitigating such risk through selected controls. This risk assessment should be presented to the Bank’s board of directors to increase awareness at the directorate level, secure proper oversight, and gain adequate oversight and funding for cybersecurity preparedness.
If we can help you in this area, please visit our website at www.sawyersjacobs.com and review our services under our RedWolf Cybersecurity brand.